ENTERPRISE DATA PROTECTION, DATA OWNERSHIP & DATA RETENTION POLICY

ENCRISS TECHNOLOGIES LLP

Effective Date: 26th May 2026

1. INTRODUCTION

Encriss Technologies LLP (“Encriss”, “Company”, “we”, “our”, or “us”) is committed to implementing commercially reasonable operational, organisational, technical, administrative, and security measures for the protection, confidentiality, integrity, availability, governance, management, processing, storage, transmission, retention, archival, and lawful handling of information and Client Data processed through Encriss platforms, applications, APIs, automation systems, Artificial Intelligence systems, chatbot systems, cloud systems, communication systems, integrations, infrastructure environments, and related services including GMart Automation.

2. PURPOSE OF THIS POLICY

The purpose of this Policy is to define the principles, rights, obligations, controls, operational practices, security measures, data governance standards, processing activities, data retention practices, ownership principles, access controls, and operational safeguards applicable to Client Data and information processed through the Services and Platform.

3. APPLICABILITY

This Policy applies to all Clients, Users, enterprise customers, affiliates, partners, vendors, contractors, implementation partners, consultants, subcontractors, authorised personnel, cloud environments, hosting environments, infrastructure providers, APIs, communication systems, AI systems, automation workflows, integrations, analytics systems, chatbot systems, and operational systems used, managed, operated, controlled, or accessed by Encriss.

4. CLIENT DATA OWNERSHIP

The Client shall retain all rights, title, and interest in and to the Client Data. Nothing contained in this Policy, the Terms & Conditions, any Statement of Work (“SOW”), commercial arrangement, proposal, order form, subscription plan, or related agreement shall be construed as transferring ownership of Client Data to Encriss.

5. RIGHTS OF ENCRISS TO PROCESS CLIENT DATA

The Client acknowledges and agrees that Encriss shall have the right to access, process, store, host, analyse, monitor, transmit, secure, replicate, archive, retain, manage, use, maintain, classify, cache, transfer, retrieve, back up, restore, log, and otherwise handle Client Data for the purposes of providing, operating, maintaining, supporting, securing, improving, enhancing, troubleshooting, analysing, optimising, and delivering the Services, Platform, chatbot systems, AI systems, automation workflows, APIs, integrations, dashboards, communication systems, analytics systems, infrastructure systems, and related offerings.

6. PURPOSES OF DATA PROCESSING

Client Data and operational information may be processed for platform operations, service delivery, support, onboarding, troubleshooting, diagnostics, analytics, automation workflows, AI processing, chatbot services, communication services, monitoring, logging, maintenance, security, fraud prevention, legal compliance, invoicing, operational optimisation, performance enhancement, system reliability, integrations, cloud operations, backup operations, archival processes, and business continuity purposes.

7. DATA CATEGORIES

Information processed through the Platform and Services may include personal information, business information, operational data, workflow records, communication data, chatbot interactions, AI prompts, AI outputs, API requests, metadata, technical logs, analytics data, device information, authentication data, customer records, support records, usage information, billing information, infrastructure logs, security logs, and other Client Data necessary for operation and delivery of the Services.

8. MULTI-TENANT AND SHARED INFRASTRUCTURE ENVIRONMENTS

The Client acknowledges that the Platform and Services may operate using multi-tenant infrastructure, logically isolated environments, shared cloud environments, shared infrastructure components, shared processing systems, shared analytics systems, shared monitoring systems, or other operational architectures determined by Encriss for efficient operation and delivery of the Services.

9. DATA ISOLATION

Where applicable, Encriss may implement logical isolation, tenant segregation, access restrictions, security controls, environment separation, operational boundaries, or architecture-level controls intended to reduce unauthorised access between clients or tenant environments. However, the Client acknowledges that no environment can be guaranteed to be fully isolated or immune from operational, infrastructure, or security risks.

10. DATA ACCESS CONTROLS

Access to Client Data, infrastructure systems, operational systems, applications, cloud systems, and databases shall be restricted to authorised personnel, systems, contractors, service providers, or operational entities requiring such access for legitimate operational, support, security, analytics, maintenance, compliance, or service delivery purposes.

11. SECURITY MEASURES

Encriss may implement commercially reasonable technical, organisational, administrative, and operational security measures including authentication systems, access controls, role-based access management, encryption mechanisms, infrastructure security controls, firewall protections, monitoring systems, audit logging, endpoint protections, network protections, operational controls, cloud security controls, and backup protections.

12. NO ABSOLUTE SECURITY GUARANTEE

While Encriss implements commercially reasonable safeguards, the Client acknowledges that no platform, infrastructure environment, communication network, cloud system, API, hosting environment, or technology system can be guaranteed to be fully secure, uninterrupted, immune from cyber threats, or free from unauthorised access, security incidents, outages, vulnerabilities, or operational failures.

13. CLIENT RESPONSIBILITIES

The Client shall remain solely responsible for ensuring that all Client Data, customer records, communications, campaigns, workflows, prompts, chatbot interactions, automation processes, uploaded materials, and information submitted to the Platform comply with Applicable Law, privacy obligations, communication regulations, contractual obligations, industry standards, and third-party policies.

14. CONSENTS AND LEGAL BASIS

The Client shall be solely responsible for obtaining and maintaining all necessary consents, permissions, approvals, authorisations, legal bases, notices, and lawful rights required for collection, processing, transmission, communication, storage, hosting, and use of Client Data.

15. DATA SHARING

Client Data and operational information may be shared, transmitted, hosted, processed, or managed through authorised third-party infrastructure providers, cloud providers, communication providers, AI providers, analytics providers, API providers, telecom providers, hosting providers, monitoring providers, payment processors, subcontractors, implementation partners, and technology service providers strictly to the extent necessary for operation, maintenance, support, security, analytics, compliance, enhancement, or delivery of the Services.

16. CROSS-BORDER DATA PROCESSING

The Client acknowledges that information and Client Data may be processed, stored, transmitted, replicated, backed up, archived, analysed, or hosted across multiple jurisdictions through cloud infrastructure, hosting providers, AI systems, communication providers, analytics systems, authorised service providers, or infrastructure environments used by Encriss.

17. AI SYSTEMS AND AUTOMATION

Encriss may use Artificial Intelligence systems, Large Language Models (LLM), recommendation systems, analytics systems, chatbot systems, automation workflows, AI-assisted technologies, and related systems as part of the Services. AI-generated outputs may be probabilistic in nature and may not always be accurate, complete, or reliable.

18. DATA RETENTION DURING ACTIVE SERVICES

Client Data and operational information may be retained during the period of active Subscription Services, active implementation, active onboarding, active support, or active commercial engagement in accordance with operational practices, hosting architecture, business continuity requirements, support requirements, compliance requirements, security practices, and applicable commercial arrangements.

19. RETENTION ON EXPIRY, DEFAULT, OR TERMINATION

In the event of subscription expiry, suspension, non-renewal, inactivity, payment default, breach, or termination of Services, Encriss shall have no obligation to continue hosting, preserving, maintaining, restoring, supporting, recovering, or making available Client Data beyond applicable retention periods or operational requirements.

20. GRACE PERIOD

Following suspension, expiry, non-renewal, or payment default, Encriss may, at its sole discretion, provide limited read-only access to Client Data for a limited grace period solely for retrieval or review purposes. During such period, active use of the Platform, workflows, APIs, automation systems, AI systems, chatbot systems, integrations, or communication systems may remain disabled or restricted.

21. DATA EXPORT

Requests relating to export, retrieval, migration, restoration, archival retrieval, or transfer of Client Data may be subject to verification, operational feasibility, technical limitations, outstanding dues, retention periods, support availability, contractual obligations, security procedures, and Applicable Law.

22. DATA DELETION AND ARCHIVAL

Encriss reserves the right, at its sole discretion, to permanently delete, archive, move to cold storage, deactivate, or remove Client Data from active systems following expiry of retention periods, suspension periods, grace periods, inactivity periods, or termination of Services.

23. BACKUP DISCLAIMER

Unless expressly agreed in writing, Encriss shall not be treated as the Client’s official backup provider, statutory archive, compliance repository, disaster recovery provider, system of record, or long-term preservation provider. The Client shall remain solely responsible for maintaining independent backups and archival copies of its data.

24. INCIDENT RESPONSE

Encriss may implement operational procedures intended for identification, logging, assessment, investigation, containment, mitigation, monitoring, and response relating to suspected security incidents, operational threats, unauthorised access, misuse, vulnerabilities, outages, fraud, or data exposure events.

25. CONFIDENTIALITY AND ACCESS RESTRICTIONS

Employees, contractors, consultants, service providers, implementation partners, and authorised personnel handling Client Data or Confidential Information may be subject to confidentiality obligations, operational restrictions, access controls, security procedures, and internal governance requirements.

26. THIRD-PARTY DEPENDENCIES

The Platform and Services may depend upon third-party infrastructure providers, cloud systems, APIs, communication providers, Meta / WhatsApp systems, AI providers, analytics systems, hosting providers, telecom providers, and other Third Party Technology. Encriss shall not be responsible for outages, restrictions, policy changes, suspensions, pricing changes, failures, or operational issues arising from such third-party systems.

27. AUDIT RESTRICTIONS

The Client shall not have audit rights over Encriss infrastructure, source code, platform architecture, security configurations, internal tools, workflows, operational procedures, proprietary technology, infrastructure systems, cloud systems, internal processes, or internal security mechanisms except to the limited extent required under Applicable Law and only upon prior written consent of Encriss.

28. NO LIABILITY

Encriss shall not be liable for any loss, corruption, deletion, unavailability, non-restoration, unauthorised access, operational failure, service interruption, outage, or security incident arising from third-party infrastructure failures, cloud outages, Client-side vulnerabilities, compromised credentials, misuse of the Platform, cyber incidents, force majeure events, operational limitations, or failure by the Client to maintain independent backups.

29. POLICY MODIFICATIONS

Encriss reserves the right to modify, revise, replace, amend, or update this Policy at any time. Updated versions shall become effective upon publication on the applicable website, platform, communication channel, or operational system.

30. CONTACT INFORMATION

Encriss Technologies LLP
Founder & CEO: Sumit Garg
Email: sgarg@encriss.com
Website: https://www.encriss.com
Platform: https://www.gmart.in
Address: 1005, 1007, DLF Galleria Tower, DLF Phase IV, Gurgaon – 122009, India